Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Managing risk using risk-based alerting in Splunk Enterprise Security

One of the primary challenges that security analysts face is that risk-based alerting can generate as many notables as traditional alerting. Additionally, if risk-based alerting is not curated, you might create duplicate risk notables.

While risk notables provide context during security investigations, an excessive number or duplicate risk notables from normal business activities, can confuse analysts and impede their ability to detect threats.

To get the maximum value from risk-based alerting in Splunk Enterprise Security and curate risk in your security operations center (SOC), you can adjust your risk incident rules. For example, you might want to reduce risk when defining your search based on your assessment of predictable events such as expected activity spikes during certain times of day or during the installation of new tools in your security environment.

You can also adjust the risk notables based on how they might relate to each other, and the potential threat associated with a specific risk notable.

Additionally, you can also adjust the time range or detection window for your risk incident rules to reduce the number of alerts. For example, you might want to reduce the time range from 24 hours to 12 hours to focus on user activities during peak periods of activity.

Follow these best practices to manage risk in your security environment:

Last modified on 24 January, 2024
Analyze risk notables using Threat Topology in Splunk Enterprise Security   Update assets and identities to add context for risk based alerting

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters